If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Forgive me, HT. I guess I was wrong. A question like that coming from someone who describes himself as a "Know-it-All Master Beaver" had me thinking it was purely a rhetorical question.

So, here it is from the horse'$ mouth:

"Auto Logon stores your logon name and password in the registry, allowing you to automatically log on to Windows...without typing in your user name or password in the logon user interface. However, Auto Logon could also enable other users to access your files and use your name to commit malicious acts on the system (for example, anyone with physical access to the computer can boot the operating system and automatically be logged on). If you have Auto Logon enabled and you do not want to change it, make sure that you do not store any sensitive information on the computer. Since anyone who has physical access to your computer can use the autologon feature you should only use this feature in an environment that is both trusted and secured."

Originally posted here by brokencrow Forgive me, HT. I guess I was wrong. A question like that coming from someone who describes himself as a "Know-it-All Master Beaver" had me thinking it was purely a rhetorical question.

So, here it is from the horse'$ mouth:

"Auto Logon stores your logon name and password in the registry, allowing you to automatically log on to Windows...without typing in your user name or password in the logon user interface. However, Auto Logon could also enable other users to access your files and use your name to commit malicious acts on the system (for example, anyone with physical access to the computer can boot the operating system and automatically be logged on). If you have Auto Logon enabled and you do not want to change it, make sure that you do not store any sensitive information on the computer. Since anyone who has physical access to your computer can use the autologon feature you should only use this feature in an environment that is both trusted and secured."

So that's reading into MS Marketing Shite... I still don't see the danger of that... Once again... physical access is physical access... That's where the big threat comes in... Yes in a corporate environment not a good idea... but really no big problem in a home... So the password is in the registry... People would need access to your registry... and if they can read your registry... odds are they have easier means of obtaining your password (key logger for instance... or taking the SAM db)

You make it seem like Auto Logon is some horrible thing... It's not.. It's now more a risk than a share on your computer.

IT Blog: .:Computer Defense:.PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

That's assuming the home is a trusted environment, or not part of a corporate office via VPN. I've seen homes that were NOT trusted, and others that plugged into corporate VPNs.

And again, I take issue with you on laptops. They should NEVER be set to automatically logon if there's the least bit sensitive data. Laptops are very vulnerable to theft, even from homes, as demo'd by the theft of a VA laptop from an admin's home just this year, putting millions of US veterans at risk of ID theft.

and if they can read your registry...

Just curious how you'd handle an LSA encrypted password? You going to pull that one out reading the registry?

Originally posted here by brokencrow That's assuming the home is a trusted environment, or not part of a corporate office via VPN. I've seen homes that were NOT trusted, and others that plugged into corporate VPNs.

And again, I take issue with you on laptops. They should NEVER be set to automatically logon if there's the least bit sensitive data. Laptops are very vulnerable to theft, even from homes, as demo'd by the theft of a VA laptop from an admin's home just this year, putting millions of US veterans at risk of ID theft.

Just curious how you'd handle an LSA encrypted password? You going to pull that one out reading the registry?

As usual, we have our differences.

Goodnight.

I never said I'd decrypt an LSA Encrypted password... But it looked to me from your post of MS's text that that was what you were using as your argument... that it's stored in the registry... I'm saying big deal if it's stored in the registry and you just supported that...

When is a home not a trusted environment??? You've got a problem if that's the case... As for people accessing corporate VPNs... you shouldn't be saving your VPN password and if it's for fear of infection... regardless of which profile is access an infected machine is an infected machine... As it is corporations should have a policy in place that people cannot access the Corporate VPN from home machines... Those accessing the VPN should be provided with a work only laptop and that's how they should access them...

I still stand firm that there is no security risk to having Auto Login... no risk that's any different from the other risks associated with other people having physical access to the machine... Because that's how it is... plain and simple.. you can't argue it..

Physical Access = Risk
Auto Login = Exact same Risk..

Peace,
HT

PS -- I'm still shocked that you're quoting the MBSA whitepaper as a valid security resource... A program that looks at a default install of Windows and says "hey this is completely insecure but we shipped it to you that way"

IT Blog: .:Computer Defense:.PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

as for guests... Why are guests roaming your home and accessing your computer... As for kids.. If you think multiple profiles keeps your kids from accessing your files.... come-on MLF... you're smarter than that.. As I said

Physical Access = risk
Auto Login = Exact Same Risk

IT Blog: .:Computer Defense:.PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

Well...guests that come to vistit me from the west coast... and stay for 4 days tend to roam around my house............and have access to everthing in my home...like the shower...fridge and ...omg...computers..........we have 6 all over the house....

This doesnt by any means include extended family.........

My profile is somewhat protcted.....till I reboot

and I never save passwords.......

MLF

How people treat you is their karma- how you react is yours-Wayne Dyer

Originally posted here by spamdies hmmm, so the autologin stores the password in the reg, is that the same reg that gets game serials harvested by virii on a daily basis? Or do "speacal" xp macines have more than one reg.

Once again.. generally it will be encrypted... On top of that... If you're virus infected wouldn't you say you are already compromised?

IT Blog: .:Computer Defense:.PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".